package org.keycloak.authentication.authenticators.x509;

import java.util.Arrays;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import org.keycloak.Config;
import org.keycloak.authentication.AuthenticatorFactory;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.provider.ProviderConfigProperty;

/* loaded from: input_file:org/keycloak/authentication/authenticators/x509/AbstractX509ClientCertificateAuthenticatorFactory.class */
public abstract class AbstractX509ClientCertificateAuthenticatorFactory implements AuthenticatorFactory {
    private static final String[] mappingSources = {AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN, AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL, AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL, AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTALTNAME_OTHERNAME, AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN_CN, AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_ISSUERDN, AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SERIALNUMBER, AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SERIALNUMBER_ISSUERDN, AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SHA256_THUMBPRINT, AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_CERTIFICATE_PEM};
    private static final String[] userModelMappers = {AbstractX509ClientCertificateAuthenticator.USER_ATTRIBUTE_MAPPER, AbstractX509ClientCertificateAuthenticator.USERNAME_EMAIL_MAPPER};
    private static final String[] CERTIFICATE_POLICY_MODES = {AbstractX509ClientCertificateAuthenticator.CERTIFICATE_POLICY_MODE_ALL, AbstractX509ClientCertificateAuthenticator.CERTIFICATE_POLICY_MODE_ANY};
    protected static final List<ProviderConfigProperty> configProperties;

    public List<ProviderConfigProperty> getConfigProperties() {
        return configProperties;
    }

    public String getReferenceCategory() {
        return null;
    }

    public boolean isConfigurable() {
        return true;
    }

    public boolean isUserSetupAllowed() {
        return false;
    }

    public void init(Config.Scope scope) {
    }

    public void postInit(KeycloakSessionFactory keycloakSessionFactory) {
    }

    public void close() {
    }

    static {
        LinkedList linkedList = new LinkedList();
        Collections.addAll(linkedList, mappingSources);
        ProviderConfigProperty providerConfigProperty = new ProviderConfigProperty();
        providerConfigProperty.setType("List");
        providerConfigProperty.setName(AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_SELECTION);
        providerConfigProperty.setLabel("User Identity Source");
        providerConfigProperty.setHelpText("Choose how to extract user identity from X509 certificate or the certificate fields. For example, SubjectDN will match the custom regular expression specified below to the value of certificate's SubjectDN field.");
        providerConfigProperty.setDefaultValue(mappingSources[0]);
        providerConfigProperty.setOptions(linkedList);
        ProviderConfigProperty providerConfigProperty2 = new ProviderConfigProperty();
        providerConfigProperty2.setType("boolean");
        providerConfigProperty2.setName(AbstractX509ClientCertificateAuthenticator.CANONICAL_DN);
        providerConfigProperty2.setLabel("Canonical DN representation enabled");
        providerConfigProperty2.setDefaultValue(Boolean.toString(false));
        providerConfigProperty2.setHelpText("Use the canonical format to determine the distinguished name. This option is relevant for authenticators using a distinguished name.");
        ProviderConfigProperty providerConfigProperty3 = new ProviderConfigProperty();
        providerConfigProperty3.setType("boolean");
        providerConfigProperty3.setName(AbstractX509ClientCertificateAuthenticator.SERIALNUMBER_HEX);
        providerConfigProperty3.setLabel("Enable Serial Number hexadecimal representation");
        providerConfigProperty3.setDefaultValue(Boolean.toString(false));
        providerConfigProperty3.setHelpText("Use the hex representation of the serial number. This option is relevant for authenticators using serial number.");
        ProviderConfigProperty providerConfigProperty4 = new ProviderConfigProperty();
        providerConfigProperty4.setType("String");
        providerConfigProperty4.setName(AbstractX509ClientCertificateAuthenticator.REGULAR_EXPRESSION);
        providerConfigProperty4.setLabel("A regular expression to extract user identity");
        providerConfigProperty4.setDefaultValue("(.*?)(?:$)");
        providerConfigProperty4.setHelpText("The regular expression to extract a user identity. The expression must contain a single group. For example, 'uniqueId=(.*?)(?:,|$)' will match 'uniqueId=somebody@company.org, CN=somebody' and give somebody@company.org");
        LinkedList linkedList2 = new LinkedList();
        Collections.addAll(linkedList2, userModelMappers);
        ProviderConfigProperty providerConfigProperty5 = new ProviderConfigProperty();
        providerConfigProperty5.setType("List");
        providerConfigProperty5.setName(AbstractX509ClientCertificateAuthenticator.USER_MAPPER_SELECTION);
        providerConfigProperty5.setHelpText("Choose how to map extracted user identities to users");
        providerConfigProperty5.setLabel("User mapping method");
        providerConfigProperty5.setDefaultValue(userModelMappers[0]);
        providerConfigProperty5.setOptions(linkedList2);
        ProviderConfigProperty providerConfigProperty6 = new ProviderConfigProperty();
        providerConfigProperty6.setType("MultivaluedString");
        providerConfigProperty6.setName(AbstractX509ClientCertificateAuthenticator.CUSTOM_ATTRIBUTE_NAME);
        providerConfigProperty6.setDefaultValue(AbstractX509ClientCertificateAuthenticator.DEFAULT_ATTRIBUTE_NAME);
        providerConfigProperty6.setLabel("A name of user attribute");
        providerConfigProperty6.setHelpText("A name of user attribute to map the extracted user identity to existing user. The name must be a valid, existing user attribute if User Mapping Method is set to Custom Attribute Mapper. Multiple values are relevant when attribute mapping is related to multiple values, e.g. 'Certificate Serial Number and IssuerDN'");
        ProviderConfigProperty providerConfigProperty7 = new ProviderConfigProperty();
        providerConfigProperty7.setType("boolean");
        providerConfigProperty7.setName(AbstractX509ClientCertificateAuthenticator.TIMESTAMP_VALIDATION);
        providerConfigProperty7.setLabel("Check certificate validity");
        providerConfigProperty7.setDefaultValue(Boolean.toString(true));
        providerConfigProperty7.setHelpText("Will verify that the certificate has not expired yet and is already valid by checking the attributes 'notBefore' and 'notAfter'.");
        ProviderConfigProperty providerConfigProperty8 = new ProviderConfigProperty();
        providerConfigProperty8.setType("boolean");
        providerConfigProperty8.setName(AbstractX509ClientCertificateAuthenticator.ENABLE_CRL);
        providerConfigProperty8.setHelpText("Enable Certificate Revocation Checking using CRL");
        providerConfigProperty8.setLabel("CRL Checking Enabled");
        ProviderConfigProperty providerConfigProperty9 = new ProviderConfigProperty();
        providerConfigProperty9.setType("boolean");
        providerConfigProperty9.setName(AbstractX509ClientCertificateAuthenticator.ENABLE_CRLDP);
        providerConfigProperty9.setDefaultValue(Boolean.toString(false));
        providerConfigProperty9.setLabel("Enable CRL Distribution Point to check certificate revocation status");
        providerConfigProperty9.setHelpText("CRL Distribution Point is a starting point for CRL. If this is ON, then CRL checking will be done based on the CRL distribution points included in the checked certificates. CDP is optional, but most PKI authorities include CDP in their certificates.");
        ProviderConfigProperty providerConfigProperty10 = new ProviderConfigProperty();
        providerConfigProperty10.setType("MultivaluedString");
        providerConfigProperty10.setName(AbstractX509ClientCertificateAuthenticator.CRL_RELATIVE_PATH);
        providerConfigProperty10.setDefaultValue("crl.pem");
        providerConfigProperty10.setLabel("CRL Path");
        providerConfigProperty10.setHelpText("Applied just if CRL checking is ON and CRL Distribution point is OFF. It contains the URL (typically 'http' or 'ldap') where the CRL is available. Alternatively it can contain the path to a CRL file that contains a list of revoked certificates. Paths are assumed to be relative to $jboss.server.config.dir. Multiple CRLs can be included, however it can affect performance as the certificate will be checked against all listed CRLs.");
        ProviderConfigProperty providerConfigProperty11 = new ProviderConfigProperty();
        providerConfigProperty11.setType("boolean");
        providerConfigProperty11.setName(AbstractX509ClientCertificateAuthenticator.ENABLE_OCSP);
        providerConfigProperty11.setHelpText("Enable Certificate Revocation Checking using OCSP");
        providerConfigProperty11.setLabel("OCSP Checking Enabled");
        ProviderConfigProperty providerConfigProperty12 = new ProviderConfigProperty();
        providerConfigProperty12.setType("boolean");
        providerConfigProperty12.setName(AbstractX509ClientCertificateAuthenticator.OCSP_FAIL_OPEN);
        providerConfigProperty12.setDefaultValue(Boolean.toString(false));
        providerConfigProperty12.setHelpText("Whether to allow or deny authentication for client certificates that have missing/invalid/inconclusive OCSP endpoints. By default a successful OCSP response is required.");
        providerConfigProperty12.setLabel("OCSP Fail-Open Behavior");
        ProviderConfigProperty providerConfigProperty13 = new ProviderConfigProperty();
        providerConfigProperty13.setType("String");
        providerConfigProperty13.setName(AbstractX509ClientCertificateAuthenticator.OCSPRESPONDER_URI);
        providerConfigProperty13.setLabel("OCSP Responder Uri");
        providerConfigProperty13.setHelpText("Clients use OCSP Responder Uri to check certificate revocation status.");
        ProviderConfigProperty providerConfigProperty14 = new ProviderConfigProperty();
        providerConfigProperty14.setType("Text");
        providerConfigProperty14.setName(AbstractX509ClientCertificateAuthenticator.OCSPRESPONDER_CERTIFICATE);
        providerConfigProperty14.setLabel("OCSP Responder Certificate");
        providerConfigProperty14.setHelpText("Optional certificate used by the responder to sign the responses. The certificate should be in PEM format without BEGIN and END tags. It is only used if the OCSP Responder URI is set. By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated or one with the OCSPSigning extension and also issued by the same CA. This option identifies the certificate of the OCSP responder when the defaults do not apply.");
        ProviderConfigProperty providerConfigProperty15 = new ProviderConfigProperty();
        providerConfigProperty15.setType("String");
        providerConfigProperty15.setName(AbstractX509ClientCertificateAuthenticator.CERTIFICATE_KEY_USAGE);
        providerConfigProperty15.setLabel("Validate Key Usage");
        providerConfigProperty15.setHelpText("Validates that the purpose of the key contained in the certificate (encipherment, signature, etc.) matches its intended purpose. Leaving the field blank will disable Key Usage validation. For example, 'digitalSignature, keyEncipherment' will check if the digitalSignature and keyEncipherment bits (bit 0 and bit 2 respectively) are set in certificate's X509 Key Usage extension. See RFC 5280 for a detailed definition of X509 Key Usage extension.");
        ProviderConfigProperty providerConfigProperty16 = new ProviderConfigProperty();
        providerConfigProperty16.setType("String");
        providerConfigProperty16.setName(AbstractX509ClientCertificateAuthenticator.CERTIFICATE_EXTENDED_KEY_USAGE);
        providerConfigProperty16.setLabel("Validate Extended Key Usage");
        providerConfigProperty16.setHelpText("Validates the extended purposes of the certificate's key using certificate's Extended Key Usage extension. Leaving the field blank will disable Extended Key Usage validation. See RFC 5280 for a detailed definition of X509 Extended Key Usage extension.");
        ProviderConfigProperty providerConfigProperty17 = new ProviderConfigProperty();
        providerConfigProperty17.setType("String");
        providerConfigProperty17.setName(AbstractX509ClientCertificateAuthenticator.CERTIFICATE_POLICY);
        providerConfigProperty17.setLabel("Validate Certificate Policy");
        providerConfigProperty17.setHelpText("Validates the certificate policies of the certificate's key using certificate's Policy extension. Leaving the field blank will disable Certificate Policies validation. Multiple policies should be separated using a comma. See RFC 5280 for a detailed definition of X509 Certificate Policy extension.");
        LinkedList linkedList3 = new LinkedList();
        Collections.addAll(linkedList3, CERTIFICATE_POLICY_MODES);
        ProviderConfigProperty providerConfigProperty18 = new ProviderConfigProperty();
        providerConfigProperty18.setType("List");
        providerConfigProperty18.setName(AbstractX509ClientCertificateAuthenticator.CERTIFICATE_POLICY_MODE);
        providerConfigProperty18.setLabel("Certificate Policy Validation Mode");
        providerConfigProperty18.setHelpText("If Certificate Policy validation is specified, indicates whether it should match all or at least one of the specified policies.");
        providerConfigProperty18.setDefaultValue(CERTIFICATE_POLICY_MODES[0]);
        providerConfigProperty18.setOptions(linkedList3);
        ProviderConfigProperty providerConfigProperty19 = new ProviderConfigProperty();
        providerConfigProperty19.setType("boolean");
        providerConfigProperty19.setName(AbstractX509ClientCertificateAuthenticator.CONFIRMATION_PAGE_DISALLOWED);
        providerConfigProperty19.setLabel("Bypass identity confirmation");
        providerConfigProperty19.setHelpText("By default, the users are prompted to confirm their identity extracted from X509 client certificate. The identity confirmation prompt is skipped if the option is switched on.");
        ProviderConfigProperty providerConfigProperty20 = new ProviderConfigProperty();
        providerConfigProperty20.setType("boolean");
        providerConfigProperty20.setName(AbstractX509ClientCertificateAuthenticator.REVALIDATE_CERTIFICATE);
        providerConfigProperty20.setLabel("Revalidate Client Certificate");
        providerConfigProperty20.setHelpText("Forces revalidation of the client certificate according to the certificates defined in the truststore. This is useful when behind a non-validating proxy or when the number of allowed certificate chains would be too large for mutual SSL negotiation.");
        configProperties = Arrays.asList(providerConfigProperty, providerConfigProperty2, providerConfigProperty3, providerConfigProperty4, providerConfigProperty5, providerConfigProperty6, providerConfigProperty7, providerConfigProperty8, providerConfigProperty9, providerConfigProperty10, providerConfigProperty11, providerConfigProperty12, providerConfigProperty13, providerConfigProperty14, providerConfigProperty15, providerConfigProperty16, providerConfigProperty19, providerConfigProperty20, providerConfigProperty17, providerConfigProperty18);
    }
}
